Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Legacy Programming Languages Pose Serious Risks to Industrial Robots

Industrial robot security

Industrial robot security

Researchers at the Polytechnic University of Milan and cybersecurity firm Trend Micro have analyzed some of the most popular industrial programming languages and showed how they can open the door to attacks against robots and other programmable manufacturing machines. They have developed a worm to demonstrate the severity of their findings.

The researchers analyzed programming languages from ABB, Comau, Denso, Fanuc, Kawasaki, Kuka, Mitsubishi, and Universal Robots, which can be used to create custom applications that enable industrial robots to carry out complex automation routines.

The experts looked at 100 open source automation programs developed with these languages and discovered vulnerabilities in many of them, including flaws that could allow a hacker to control or disrupt a robot. They pointed out that while some of the code they analyzed may not be used in production, some of it originated from technical materials that are likely to be used by beginner programmers, and it’s not uncommon for open source code to make its way into final products.

A majority of the studied programming languages have been around for a long time and migrating to a different technology would be a difficult and expensive task for many organizations.

One of the vulnerabilities found by the researchers affected a web server created in ABB’s Rapid language. An attacker with access to the network hosting the targeted robot controller could have exploited the security hole to obtain sensitive information, including intellectual property, without authentication. ABB removed the vulnerable app from its RobotStudio store after being alerted.

In another example shared by Trend Micro, an open source app written for Kuka robots was affected by a vulnerability that could have been exploited to spoof network packets and control the robot’s movements, potentially causing physical damage or disrupting the production process if safety systems were not deployed or configured properly.

In addition to vulnerabilities in the apps developed with the analyzed programming languages, researchers discovered design flaws that can be exploited to hide malicious functionality in industrial robots and even create self-spreading malware.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Advertisement. Scroll to continue reading.

All of the analyzed languages have communication functionality that enables apps to send and receive data to and from external systems. Some of them also allow applications to access low-level system resources, including file system access and the ability to load and execute code.

All this functionality enables an attacker to create powerful malware. For example, a sophisticated hacker could make small changes to the code running on a robot to fetch malicious code from a remote location and execute it.

A proof-of-concept (PoC) malware developed by the researchers using one of the legacy programming languages can automatically spread in the compromised environment like a worm and exfiltrate valuable data from devices, while allowing the attackers to remotely control their creation.

According to the researchers, these types of attacks are most likely to be launched by a well-resourced attacker — setting up a small lab to conduct experimental attacks on industrial robots can cost between $20,000 and $250,000 — who has specific knowledge of the targeted organization.

“It is impractical to fix these design flaws because legacy programming environments cannot be easily replaced. Not only have they become critical for current industrial automation, but the strong technology lock-in makes every switch very expensive. Consequently, despite the existence of newer alternatives, the big players behind the leading platforms still dominate the market. Switching away from their platforms is simply uneconomical,” Trend Micro wrote in its report.

Trend Micro and the Robotic Operating System (ROS) Industrial Consortium have shared some recommendations for reducing the risk of attacks and the security firm has also created a tool that organizations can use to identify vulnerabilities and malware.

This is not the first time Trend Micro and the Polytechnic University of Milan have analyzed the security of industrial robots. Back in 2017, they showed how malicious actors could target industrial robots, and earlier this year they published an analysis of the possible entry points and attacks for targeting smart manufacturing environments.

Related: Industrial Robotics – Are You Increasing Your Cybersecurity Risk?

Related: Researchers Demo Remote Hacking of Industrial Cobots

Related: Robots Vulnerable to Cyberattacks: Researchers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.